Lately I have been playing around with the OGS API, trying to implement a chrome extension. After a while I managed to get some results, but now I’m wondering about the best way to use OAuth2.
My understanding of the required workflow
First I would like to claryfy the worflow around token generation. At the moment, I’m requesting a new token each time the extension is loaded. I’m sure this is really really bad for many reasons (load on the server, infringes the “do not store user password” rule…) Since the documentation is not clear enough for me, could you please tell me if my understanding is correct about the process:
- ask user for its username/password and do not store the pass
- request token using client_id, client_secret, “password”, username, user_password
- store the response
- use response.access_token as long as it’s valid
- when token is not valid anymore, request new token using
client_id, client_secret, “refresh_token”, username, response.refresh_token
If I’m right, this leads to more questions.
How long is the token available ? I see there is a “expires_in’” field on the response corresponding to 1 year expressed in second. Does that mean I can use the token for a full year with no restriction ?
And how do I know the token is expired ? Do I just get the “401: Invalid token” error or is it something different ?
The doc says client_id, client_secret should never be shared, which is understandable.
But a chrome extension is no more than a bunch of text files zipped together, so anyone can see the content quite easily.
Let’s imagine my extension is a success and I want to share it on the google extension store. Does that mean I have to share it with no client_id client_secret and ask my users to generate one ?
It would mean for a new user:
- download and install the extension
- go to http://online-go.com/user/settings to generate an app specific password
- go to http://online-go.com/developer to generate client_id/client_secret pair
- copy paste all these hexa chars to a setting page on my extension
I think many users would find it quite a boring process just to get a new icon on their favorite browser.
One last question
I was also wondering about the need of having a client_id / client_secret pair, since they are sent together and never used again… Is it something like a work in progress ?
That’s it. Sorry for the length of this post, but I really hope you will be able to answer my questions so that I can create the perfect chrome extension